Hi, Dmitry, On Sep 28, Dmitry Shulga wrote:

revision-id: f9c1546bd7d (mariadb-11.2.1-6-gf9c1546bd7d) parent(s): c4cbafe0c4c author: Dmitry Shulga committer: Dmitry Shulga timestamp: 2023-09-28 16:20:36 +0700 message:

MDEV-32123: require_secure_transport doesn't allow TCP connections

diff --git a/mysql-test/main/require_secure_transport.test b/mysql-test/main/require_secure_transport.test index e238e732423..4ad18afb96d 100644 --- a/mysql-test/main/require_secure_transport.test +++ b/mysql-test/main/require_secure_transport.test @@ -5,11 +5,16 @@ SET GLOBAL require_secure_transport=ON; --error ER_SECURE_TRANSPORT_REQUIRED connect without_ssl,localhost,root,,,,,TCP NOSSL; --enable_query_log + +connect with_ssl,localhost,root,,,,,TCP SSL;

where's a check that a connection was established successfully and it indeed uses SSL with require_secure_transport enabled? also, you didn't add any tests for --require-secure-transport=1

+disconnect with_ssl; + connection default; SET GLOBAL require_secure_transport=OFF; --disable_query_log connect without_ssl,localhost,root,,,,,TCP NOSSL; --enable_query_log disconnect without_ssl; + connection default; DROP TABLE t1; diff --git a/sql/sql_acl.cc b/sql/sql_acl.cc index 1f00a8670a6..3ce1c363c86 100644 --- a/sql/sql_acl.cc +++ b/sql/sql_acl.cc @@ -14519,6 +14546,22 @@ bool acl_authenticate(THD *thd, uint com_change_user_pkt_len)

if (initialized) // if not --skip-grant-tables { + /* + Check whether the option require_secure_transport is on and in case + it is true that the secured connection type is used, that is either + unix socket or named pipe or ssl is in use. + */ + if(check_require_secured_transport(thd)) + { + Host_errors errors; + errors.m_ssl= 1; + inc_host_errors(mpvio.auth_info.thd->security_ctx->ip, &errors); + status_var_increment(thd->status_var.access_denied_errors); + my_error(ER_SECURE_TRANSPORT_REQUIRED, MYF(0)); + + DBUG_RETURN(1); + }

No, no. This is wrong. The point of "require_secure_transport" is to make sure that *everything* is sent over the secure transport. In particular, passwords must never be sent if the transport is not secure. You cannot check for it after the authentication, you must abort the connection is soon as possible. (technically, the server can do nothing to prevent the client from sending passwords in plain-text over the insecure connection. but practically clients use mysql_native_password by default, so the password won't leak) Regards, Sergei Chief Architect, MariaDB Server and security@mariadb.org